The NSA's Prism must be countered with public policy, says crypto guru Phil Zimmermann

Encryption not enough on its own

The National Security Agency's Prism surveillance system is a dangerous hostage to fortune that must be countered using public policy and not simply clever security technologies alone, privacy campaigner and encryption luminary Phil Zimmermann has argued.

It's an unexpected position for a man whose new company, Silent Circle, sells possibly the single most credible anti-surveillance service on the market not to mention writing his own chapter in the history books by inventing the legendary Pretty Good Privacy (PGP) encryption software in the early 1990s.

It's also fair to say that the Prism controversy might be good for Silent Circle's business model, a sort of gigantic imaginary neon sign saying 'we told you so'.

"The surge of interest we've had over the last 10 days is huge," admits Zimmermann during a phone call that would doubtless be simple for a system like Prism to monitor. In Zimmermann's case, phone taps aren't required because he'll tell you what he thinks about the surveillance era before you even ask.

"I recognise they [the NSA] have a job to do but there is over-reach and it is harmful," he begins. "If we create a technological infrastructure like the one we saw last week, a government could use it to create an incumbency that could not be shifted by elections."

Some citizens will find Prism comforting on the nave assumption that they have done nothing wrong, or even see surveillance as inevitable, but allowing such systems to exist without oversight is hugely risky for the US, for anywhere, contends Zimmermann.

"Even if you imagine that this Government has put it [Prism] in place with honourable intentions a future government could abuse it. In 2017 who is going to be President? We have no idea, he worries.

"Will that government have the moral sensibility of Thomas Jefferson or Vladimir Putin?"

Zimmermann makes the point that a system as all-seeing and powerful as Prism sets benchmarks for governments not worried about moral nuances. They will want to have the same, as will criminal organisations determined to burrow deep into the data's inner sanctum in search of the contact details of witnesses to crimes or, worse, the judiciary themselves.

Prism sets an example, acts as a proof of concept, and effortlessly sells its dangerous possibilities. He has a point. The fact that we know of Prism's existence is down to a single ex-employee, Edward Snowden, who decided to blow its cover for a principle. Might another employee fall the other way and siphon or sell secret data?

The era of surveillance will surely be fraught will huge risks to everyone. There will be many Prisms.

When put to him that at least Internet users have tools at their disposal to secure their private data - end-to-end encryption is at least an aspiration for a start - Zimmermann slaps this down. Technology is a consequence of surveillance not the solution to it.

"I worry about people falling into fatalism and feeling they can't do anything about it," he says. "We need to fight back not just with [technology] but with public policy."

The key moment was 9/11, both for him and for the system that was given a historic jolt.

"Before 9/11 I was mainly worried about Moore's Law because Moore's Law erodes privacy," he says, noting that the exponentials of processor power birth more and more possibilities when it comes to looking for patterns in data using automated systems, in real time.

"After 9/11, Moore's Law was accelerated by public policy."

September 2001 mattered because after that point the potential of Moore's law was aided by public decisions that claimed, indeed assumed, surveillance was now necessary. These events 'won' important arguments without those being had in public or with the public.

One thing that does appear to have shifted since 2001 is the perception some people have towards their privacy. Surveys routinely find that privacy is a high priority for people who still happily sign up for Facebook.

Zimmermann worries less about the integrity of the firm than what it engenders in society as a whole.

"Facebook has had the effect of de-sensitising people to privacy. Each violation becomes a baseline for more violations," he says. He complains bitterly about the complexity of many privacy controls that are regularly overhauled in ways that users can't keep up with.

As for the phone providers, his expectations are low. "Phone companies have 100 years of behaviour that is wiretap-friendly." It is simply too ingrained in for them not to make this easy because that's how they've always worked.

Zimmermann himself points out the irony of Silent Circle's place in his career. It is a service provider selling end-to-end encrypted email, texting, VoIP and mobile phone calls created to solve the suspicions people have about service providers.

Silent Circle does have some limitations, such as the need for both sender and receiver to use the service (a partially-secure service that works without end-to-end encryption is also now available) but the takeaway point is that it is a gateway; no encryption keys are stored by the firm. Zimmermann designed it (including the implementation of his own ZRTP VoIP protocol) that way.

However, perhaps the greatest irony of all is that some of its most enthusiastic users are specialist departments of government, including the military and special services of the US, UK and Canada. The very people who could in theory access Prism-like systems prefer to use Silent Circle because it stops that being possible for their own communications.

Another sector keen on Silent Circles are large enterprises operating in countries such as Russia or China who fear the Prism-like systems that might exist there to spy on their business deals; entities focused on the need for profit and survival understand the importance of secrecy even if, for now at least, citizens have still to catch up with their own interests.

Nearly ten years ago, Techworld interviewed Zimmermann and it's remarkable how constant the themes are between then and now. He's still a worried man, prophetically so. And ten years hence? The clues are always in the Prism.

Join the CSO newsletter!

Error: Please check your email address.

Tags Silent CirclePersonal TechNational Security Agencysecurity

More about FacebookNational Security AgencyNSAPGPPretty Good PrivacyPrismTechnology

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John E Dunn

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place